Problem Description
Actuator is a functional module provided by springboot for introspection and monitoring of application systems. With the help of Actuator, developers can easily view and collect statistics on certain monitoring indicators of application systems. When Actuator is enabled, if relevant permissions are not controlled, illegal users can obtain monitoring information in the application system by accessing the default actuator endpoints.
Vulnerability scenario:
注:对于Spring 1x,它们在根URL下注册,并且在2x中它们移动到“/actuator/”基本路径。
例如:http://ip:port/actuator/env
The following Actuator endpoints may have security implications, leading to possible vulnerabilities:
- /dump - displays thread dump (including stack trace)
- /trace - displays the last few HTTP messages (may contain session identifiers)
- /logfile - Output the contents of the log file
- /shutdown - Shut down the application
- /mappings - displays all MVC controller mappings
- /env - provides access to the configuration environment
- /restart - Restart the application
solution:
1: Configure authentication
在项目的pom.xml文件下引入spring-boot-starter-security依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
然后在application.properties中开启security功能,配置访问账号密码,重启应用即可弹出。
management.security.enabled=true
security.user.name=admin
security.user.password=admin
2. Disable the interface
endpoints.enabled = false
禁用部分接口,如env:
endpoints.env.enabled = false
Specific examples:
Configure in the yml file as follows:
management:
endpoints:
web:
exposure:
include: "*"
enabled-by-default: false
endpoint:
health:
show-details: always